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Abstract — An important problem that arises during tlie 
execution of service-based applications concerns the ability 
to determine whether a running service can be substituted 
with one with a different interface, for example if the former 
is no longer available. Standard Bounded Model Checking 
techniques can be used to perform this check, but they must be 
able to provide answers very quickly, lest the check hampers 
the operativeness of the application, instead of aiding it. The 
problem becomes even more complex when conversational 
services are considered, i.e., services that expose operations 
that have Input/Output data dependencies among them. In 
this paper we introduce a formal verification technique for an 
extension of Linear Temporal Logic that allows users to include 
in formulae constraints on integer variables. This technique ap- 
plied to the substitutability problem for conversational services 
is shown to be considerably faster and with smaller memory 
footprint than existing ones. 

Keywords -Bounded Model Checking, SMT-solvers, Service- 
Oriented Architectures. 



I. Introduction 

Service Oriented Architectures (SOAs) are a flexible set 
of design principles that promote interoperability among 
loosely coupled services that can be used across multiple 
business domains. In this context applications are typically 
composed of services made available by third-party vendors. 
This opens new scenarios that are unimaginable in traditional 
applications. On the one hand, an organization does not 
have total control of every part of the application, hence 
failures and service unavailability should be taken into 
account at runtime. On the other hand, during the application 
execution new services might become available that enable 
new features or provide equivalent functionalities with better 
quality. Therefore the ability to support the evolution of 
service compositions, for example by allowing applications 
to substitute existing services with others discovered at 
runtime, becomes crucial. 

Most of the frameworks proposed in recent years for 
the runtime management of service compositions make the 
assumption that all semantically equivalent services agree 
on their interface ||T|, In the practice this assumption 
turns out to be unfounded. The picture is further complicated 
when one considers conversational services, i.e., services 



that expose operations with input/output data dependencies 
among them. In fact, in this case the composition must deal 
with sequences of operation invocations, i.e., the behavior 
protocol, instead of single, independent, ones. 

|3 |, |4| propose an approach to tackle the substitutability 
problem, i.e., the problem of deciding when a service can 
be dynamically substituted by another one discovered at run- 
time, based on Bounded Model Checking (BMC) techniques. 
Even if the approach proved to be quite effective, the Propo- 
sitional Satisfiability (SAT) problem on which traditional 
BMC relies requires to deal with lengthy constraints, which 
typically limits the efficiency of the analysis phase. In the 
setting of the runtime management of service compositions 
this is not acceptable, as delays incurred when deciding 
whether services are substitutable or not can hamper the 
operativeness of the application. 

In this paper we introduce a verification technique, based 
on Satisfiability Modulo Theories (SMT), for an extension of 
Propositional Linear Temporal Logic with Both past and fu- 
ture operators (PLTLB). This extension, called CLTLB(DL), 
allows users to define formulae including Difference Logic 
(DL) constraints on time-varying integer variables. 

Our SMT-based verification technique has two main ad- 
vantages: (i) unlike in traditional BMC, arithmetic domains 
are not approximated by means of a finite representation, 
which proves to be particularly useful in the service substi- 
tutability problem; (ii) the implemented prototype is shown 
to be considerably faster and with smaller memory footprint 
than existing ones based on traditional BMC, due to the 
conciseness of the problem encoding. 

The technique exploits decidable arithmetic theories sup- 
ported by many SMT solvers [5 | to natively deal with integer 
variables (hence, with an infinite domain). This allows us 
to decide larger substitutability problems than before, in 
significantly less time: the response times of our prototype 
tool make it usable also in a runtime checking setting. 

This paper is structured as follows: Section |ll] intro- 
duces the issues underlying the runtime checking of service 



substitutability; Sections III and IV present, respectively, 
CLTLB(DL) and its SMT-based encoding for verification 
purposes; Section [V] explains how the approach works on 



a case study, and Section VI discusses some experimental 



results; Finally, Section VII presents some related works. 
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ii. substitutability checking of 
Conversational Services 

The approach presented in |3| enables service substitu- 
tion through the automatic definition of suitable mapping 
scripts. These map the sequences of operations that the 
client is assuming to invoke on the expected service into 
the corresponding sequences made available by the actual 
service (i.e., the service that will be actually used). Mapping 
scripts are automatically derived given (i) a description of 
service interfaces in which input and output parameters 
are associated with each service operation, and (ii) the 
behavioral protocol associated with each service, described 
through an automaton. 

The mapping between an expected and an actual service 
assumes that two compatibility relationships have been pre- 
viously defined. The first states the compatibility between 
states of two automata. The second concerns the compatibil- 
ity between names and data associated with some operation 
Oexp € Oexp in the expected service and those associated 
with some operation o'^^^ £ Oact in the actual service. 
For the sake of simplicity, here we assume that states and 
operation names and data are compatible if they are called 
the same way (more sophisticated compatibility relationships 
are explored in |6|). 

Given these definitions, we say that a sequence of oper- 
ations in the automaton of the expected service is substi- 
tutable by another sequence of operations in the automaton 
of the actual service if a client designed to use the expected 
service sequence can use the actual service sequence without 
noticing the difference. This can happen when the following 
conditions hold: 

1) The sequence in the actual service automaton starts 
and ends in states that are compatible with the initial 
and final states of the sequence in the expected service 
automaton. 

2) All data parameters of the operations in the actual 
service automaton sequence are compatible with those 
appearing in the expected service automaton sequence. 

This substitutability definition allows us to build a reasoning 
mechanism based on PLTLB that, given an expected service 
sequence, returns a corresponding actual service sequence. 

The formal model for reasoning about substitutability in- 
cludes the behavioral protocols of both the expected and the 
actual services represented as Labelled Transition Systems 
(LTS) and formalized in PLTLB, in which each transition 
is labelled with the associated operation. Input and output 
parameters of each operation are also part of the model (Fig. 
[T] shows the LTS of a service discussed in Section \V). 

In addition, the model includes the definition of two kinds 
of integer counters. The first is called seen, and it is used to 
check that the actual service can work using a subset of the 
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SearchLyric{song;artist;):SongRank;song;artist;AitistUrl; 
SongLJrl;lyricsId;lyricCheckSum 

SearchLyricText(lyricText;):SongRank;song;artist;AitistUrl; 
SongUrl;lyricsId;lyricCheckSum 

SearchLyric(song;aitist;):SongRank;song;artist; 
Ai"tistUrl;SongUrl;lyricsId;lyricCheckSum 



SearchLyricText(lyricText;):SongRank;song;aitist; 
Ai"tistUrl;SongUrl;lyricsId;lyricCheckSum 

GetLyric{lyricCheckSum;lyricsId;);Lyric;LyricCorrectUrl;LyricRank; 
LyricCovertAitUrl;LyricCoiTectUrl;artist;song 



end 



Figure 1. LTS of the ChartLyiics service of Section |V] 



input data provided by the client to the expected service. 
The second is called needed, and it is used to check that 
the actual service can provide a superset of the data the 
client expects to receive as output of the expected service. 
The model includes an instance of seen (resp. needed) for 
each type of data that can be used as input (resp. output) 
parameter for an operation. 

The model states that each time an operation of the ex- 
pected service is invoked, the instances of seen for each input 
parameter and those of needed for each output parameter are 
all incremented by one. Conversely, when an operation of the 
actual service is invoked, the instances of the seen counter 
for each input parameter and those of the needed counter 
for each output parameter are all decremented by one. Note 
that an actual service operation can be invoked only if the 
seen counter for each of its input parameters is > (i.e. the 
input parameters have been provided by a client expecting 
to invoke some operations on the expected service). 

Through this model, given a sequence of operations 
in the expected service automaton, we can formalize the 
problem of finding a substituting operation sequence in 
the actual service automaton. More precisely, the actual 
operation sequence exists if, when the expected operation 
sequence is finished, the actual and expected services are in 
compatible states, and each instance of the needed counter 
has a value < 0. The rationale behind the latter condition is 
that when the value of a needed counter is 0, then the actual 
service provided enough instances of a certain type of data 
to fulfill client requests. If, on the other hand, the actual 
service provides more instances of a type of data than those 
requested, then the corresponding needed counter is < 0. 

In case the expected service operation sequence analyzed 
is substitutable by one in the actual service, a mapping 
script is generated and then interpreted by an adapter that 
intercepts all service requests issued by the client and 
transforms them into some requests the actual service can 
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understand. Fig. |2] shows the placement of adapters into 
the infrastructure architecture and highhghts their nature of 
intermediaries (see [3J for details). 
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Figure 2. The adaptation runtime infrastructure. 
III. A LOGIC FOR TIME- VARYING COUNTERS 

In order to deal with time-varying counters over actual 
domains (such as seen and needed discussed in Section [lljl, 
we introduce an extension of Linear-time Temporal Logic 
with past operators and non-quantified first order integer 
variables. The language we consider, denoted CLTLB(DL), 
is an extension of PLTLB which combines pure Boolean 
atoms and formulae with terms defined by DL constraints. 
Counters can naturally be represented by integer variables 
over the whole domain without any approximation due to a 
propositional encoding. In |7 | we prove the decidability of 
the satisfiability problem in more general cases. 

Difference Logic is the structure (Z, =, {<d)dez) where 
each <d is a binary relation defined as 

X <d y <^ X < y + d. 

The notations x<y, x<y, x>y, x>y and x ^ y + d 
are abbreviations for x <o y, 2; <o 2/ V a; = y, ^{x <o y), 
<o yy X — y) and y <d^i x Ax <d^i y, respectively. 
Let AP the set of Atomic Propositions and V the set of 
variables; the CLTLB(DL) language is defined as follows; 

f p\ipr^Lp\(j)A4)\^(j)\ 

I X(/) I Y0 I Z<?!) I 0U(/) I (/)S^ 

:= x\ X(y3 I Yif 

where p E AP, x E V, ^ is any relation in DL, X is the 
usual "next", Y, Z are "previous" operators, U and S are 
the usual "until" and "since" operators. Subformulae if are 
called arithmetic temporal terms (a.t.t.); for such terms, we 
define recursively the depth \ip\: 



Depth extends naturally to formulae as the minimum depth 
of its a.t.t.'s. 

The semantics of a formula (p of CLTLB(DL) is defined 
w.rt. a linear time structure {S,so,I,7t,L) where S is the 
set of states, sg is the initial state, / : —1] xV ^ Z is an 
assignment of variables, tt is an infinite path tt = sqSi . . . 
endowed with a sequence of valuations a : N x V ^ Z 
and L : S ^ 2^^ is the labeling function. The function / 
allows a valuation of variables to be defined also for instants 
preceding zero and then to be extended to a.t.t.'s. Indeed, if 
If is such a term, x is the variable in ip, Si is a state along 
the sequence, and cr' is a shorthand for (t(z, •), then: 

cr'+l'^l(x), \fi + \Lp\>Q\ 
I{i + \ip\,x), \fi + \ip\<Q. 

Given a model tTo-, the semantics of a formula (/> is recur- 
sively defined as: 

< ^p-^pE L{s.i) for p E AP 



Tri 1= Y0^7r;-i >0 

3 J > i : 7r;J. \= tp /\ 
TT^ 1= ^Vz < n < j 

3 < j < i : TT^ 1= -0 A 
tt" 1= (f)\fj < n <i 



where x^^ is the variable that appears in Lpi and ~ is 
any relation in DL. The R and T operators, over infi- 
nite paths, can be defined as usual: ^Ri/) = ^(^^U^V) 
and ^T-i/; = ^(^(/iS^'i/;). By means of previous dualities 
and DeMorgan's rules, it is always possible to rewrite 
all formulae to positive normal form. From now on, we 
assume all formulae are in positive normal form. A formula 
E CLTLB(DL) is satisfiable if there exists a linear time 
structure {S, sq, I, tt, L) and a sequence of valuations a such 
that tt" 1= 0; where tt" is the the sequence built from vr and 
the valuations as described before. 

Unfortunately, CLTLB(DL) is too expressive in the sense 
that the satisfiability problem can be proven to be highly 
undecidable |8|. However, the satisfiability and the model 
checking problems for a CLTLB(DL) formula (j) for It- 
partial valuations (i.e., for all computation in which the 
value of counters is considered only up to k plus the 
maximum depth of the subformulae of (j) steps) is shown to 
be decidable |7|. Both of them reduce to the satisfiability and 
the model checking problems, respectively, over bounded 
paths of length equal to k with fc-partial valuations. As in 
the standard BMC (of a property 0) the goal is looking 
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for finite initialized path of the system that are witnesses 
of wrong behaviors, i.e., paths along which the negations 
of the property holds. When the finite path of length k 
admits a loop, it contains all its infinite periodic behavior; 
and conversely, when a loop does not exists, it represents 
all its possible extensions. Indeed, it is representative of an 
infinite path. Formally, paths are words of states Si which 
may be possibly periodic: tt = wu" with u = sq ■ ■ ■ si 
and V = s;+i • • • Sfe where I < k, if the loop exists; 
TT = uv, if it does not. Beside the propositional model, the 
values of the variables up to the state are depicted by 
a bounded representation tt^j. of the model tt^. It is also 
opportunely bordered by some values of variables referring 
to time instants outwards the finite path, before sq and after 
Sfc depending on the depth of the formula. Arithmetic DL 
constraints may be part of the possibly periodic model tTo- 
and, thus, are defined by means of a finite prefix of length 
k. According to |7|, |9|, we are allowed to use a proper 
bounded semantics to state reachability properties on that 
part of the system involving a counting mechanism (i.e., 
Xa; = y + 1, where x, y are variables). Note that over 
finite acyclic paths, the equivalence (f>Rip = ^{^(pXJ^ip) 
and (j)Ttp = ^{^(j)S^ip) no longer holds. Then, R (and 
symmetrically T) is redefined as [lOJ : 

3i < j < fc,7r^ |=fe A TT^ |=fc il^yi <n<j 

Based on this assumption, the (existential) reachability 
problem over infinite path endowed with a fc— partial val- 
uation (Tfc, TTo-fc \= <p, can be reduced to the bounded 
(existential) reachability problem over finite paths (possibly 
cyclic) with A:— partial valuation Tr^^, |=fe 0: 

Theorem 1 (111). Let (j) be a CLTLB(DL) formula. There 
exists fc > such that if tt^^, is a path endowed with a k- 
partial valuation of variables, then TTa^ |= <^4> tTo-^. \=k 4>- 

These results allow us to correctly verify the satisfiability 
of CLTLB(DL) formulae and also to realize a bounded 
model checking of systems involving DL constraints. Partic- 
ularly, when a counting mechanism is defined, reachability 
properties of values of variables along paths of finite length 
can be verified. Obviously, if the reachability property does 
not hold within fc, then k can be refined and augmented. As 



explained later in Section VI the substitutability problem 
can be significantly solved by means of a BMC approach 
by correctly estimating an upper bound of fc. This is done 
by using an opportune heuristic based on the dimension of 
the automata describing services and the length of traces of 
invocations. For this reasons, the substitutability problem, 
which requires to check counting mechanism over finite 
paths of invocations of service functions, can be easily 
encoded to a bounded reachability problem. 



IV. Encoding of Bounded Reachability Problem 

In this section the bounded reachability problem is en- 
coded as the satisfiability of a Quantifier Free Integer 
Difference Logic formula with Uninterpreted Function and 
predicate symbols (QF-UFIDL). Such a logic is shown to be 
decidable, and the satisfiability problem to be NP-complete, 
as it can be easily proved applying Nelson-Oppen Theorem. 
The QF-UFIDL encoding results to be more succinct and 
expressive than the Boolean one: lengthy propositional con- 
straints are substituted by more concise DL constraints and 
arithmetic (infinite) domains do not require an explicit finite 
representation. These facts, considering also that the satis- 
fiability problem for QF-UFIDL has the same complexity 
of SAT, make the SMT-based approach particularly efficient 
to solve runtime substitutability problem, as demonstrated 
by performance results. In the key work of Biere et al. ID, 
the BMC is reduced to a pure propositional satisfiability 
problem. This approach, and further refinements ifTOl , ifTTI . 
1 12 1, has been already implemented in the Zot tooQ 

A. Encoding the Time 

As discussed before, the BMC problem amounts to look 
for a finite representation of infinite (possibly periodic) 
paths. The SAT-based approach encodes finite paths [9| by 
means of 2fc + 3 propositional variables. The time instant 
at which the periodic suffix starts is defined by the loop 
selector variables lQ,li,...lk- li holds if and only if the 
loop starts at instant i, i.e., s; is the successor of s^. Then, 
the truth (of atomic proposition) in s, and Sk, defined by 



the labeling function L defined in Section III must be the 



same. Further propositional variables, inLoop^ (0 < i < k) 
and loopEx, respectively, mean that time instant i is inside 
a loop and that there actually exists a loop. 

The same temporal behavior can be defined by means of 
one QF-UFIDL formula involving only one integer loop- 
selecting variable loop E Z: 



Hsk)). 



1=1 



The QF-UFIDL encoding is more concise: it does not require 
2fc + 3 Boolean variables (li, inLoopi and loopExists). A 
value of loop between 1 and fc defines if there exists a loop 
and its position; it does not depend on the fc parameter. 

B. Encoding the Arithmetic Temporal Terms 

Since CLTLB(DL) formulae consist also of a.t.t.'s, we 
need to define a suitable semantics for them. An arithmetic 
formula function, i.e. an uninterpreted function a : Z — > Z, 
is associated with each arithmetic temporal subterm of $. 
Let a be such a subterm, then the arithmetic formula 
function associated with it (denoted by the same name but 

'Zot: a Bounded Satisfiability Checker, http://home.dei.poIimi.it/pradeIlay 
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in written in bold face), is recursively defined w.r.t. the 
sequence of valuations a as: 



a 


< i 


< fc 




X 




a\x) 




Xa 


Xa(i) = 


a.{i + 


1) 


Ya 


Ycx{i) 


a(i ~ 


1) 



This semantics is well-defined between and k thanks to 
the initialization function /. 

C. Encoding the Propositional Terms 

The propositional encoding is inspired from that one 
studied in ifTOl but deeply revised to take also into account 
relations over a.t.t.'s. In the case of Boolean encoding, the 
semantics of a PLTLB formula $ is defined w.r.t. the truth 
value of all its subformulae only by means of Boolean vari- 
ables t associated to each of them, for all < i < A: + 1: if 
ti holds then the subformula t holds at instant i. The instant 
A: + 1 is appended to the path to easily represent the instant 
in the past where the loop realizes the periodicity; indeed, 
it turns to be useful for the encoding. The propositional 
semantics of a CLTLB(DL) formula $ is defined alike that 
one of PLTLB. The QF-UFIDL encoding, instead, associates 
to each propositional subformula a formula predicate that 
is a unary uninterpreted predicate e VC^). When the 
subformula ip holds at instant i then (p{i) holds. As the 
length of paths is fixed to fc + 1, and all paths start from 0, 
formula predicates are actually subsets of {0, . . . , k+1}. Let 
ip he a propositional subformula of $, a, f3 be two a.t.t.'s 
and ^ be any relation in DL; then the formula predicate 
associated with ip (denoted by the same name but written in 
bold face), is recursively defined as: 

<i<k+l 
p{i) L{s{) 
(a ~ /3)(i) ^ cy.{i) ^ f3{i) 

D. Encoding Temporal Operators 

Temporal subformulae constraints define the basic tem- 
poral behavior of future and past operators, by using their 
traditional fixpoint characterizations. Let (j> and be propo- 
sitional subformulae of $, then: 

0<i<k 

X4>{i) ^ 4>{i + 1) 

i<t>V'ip){i) {xp{i) V {(jy{i) A (0Ui/j)(i - 
(0Ri/')(i) ^ lxp{i) A (0(i) V icf)Iiip)li ■ 

<i < k 



P 

(f) All) 



X(/> 



1))) 
1))) 



Y(f) 
Z</> 



1 



Y4>{i) ^ (f){i - 1) 
Z^(i) ^ ct){i - 1) 

(0St/>)(») ^ (iA(z)V 
(<A(z)A(</.St/.)(z-l))) 

(W)(z) ^ (V^(*)A 
(0WV((/.TV^)(z-l))) 



i = 



-Y0(O) 
Z0(O) 
(0S^)(O)^ 

t/.(0) 
(0T^)(O) ^ 



Last state constraints define an equivalence between truth in 
fc + 1 and those one indicated by loop, since the instant fc+l 
is representative of the instant loop along periodic paths. 
Otherwise, truth values in fc + 1 are trivially false. These 
constraints have a similar structure to the corresponding 
Boolean ones, but here they are defined by only one DL 
constraint, for each subformula Lp of ^, w.r.t. the variable 
loop: 

^^{loop = i 



i(p{k + l) ^ (p{i)))] A 
^i^Vik + 1))] 



^{loop 



Note that if a loop does not exists then the fixpoint semantics 
of R is exactly that one defined over finite acyclic path 
in Sec. 



Ill 



Finally, to correctly define the semantic of U 
and R, their eventuality have to be accounted for. Briefly, 
if (fAlijj holds at i, then eventually holds in j > i; if 
(pRtp does not hold at i, then ip eventually does not hold in 
j > i. Along finite paths of length fc, eventualities must hold 
between and fc. If a loop exists, an eventuality may holds 
within the loop. The original Boolean encoding introduces fc 
propositional variables for each (pXJijj and (pHip subformula 
of $, for all 1 < z < fc, which represent the eventuality 
of tp implicit in the formula. The interested reader should 
consult |10|. Differently, in the QF-UFIDL encoding, only 
one variable e Z is introduced for each ip occurring in 
a subformula (j>XJi/j or (pHip- 





Base 




(vt 


^ loop = i j 




(¥>(fc) loop <j^<kA 


(pRip 




_^ loop — ^ 




{^(p{k) ^ loop <j^<kA -^ipUi/j)) 



The complete encoding of <I> consists of the logical conjunc- 
tion of all above components, together with $ evaluated at 
the first instant along the time structure. 

Let $ be a pure propositional formula, actually in PLTLB, 
then we can compare the dimension of the SAT-based encod- 
ing versus the QF-UFIDL one. If m is the total number of 
subformulae and n is the total number of temporal operators 
U and R occurring in $, then the SAT-based encoding 
requires (2fc + 3) + (fc + 2)m+(fc + l)n = 0{k{m + n)) fresh 
propositional variables. Differently, the QF-UFIDL encoding 
requires only n + 1 integer variables {loop and j^) and m 
unary predicates (one for each subformula). 

V. Case Study 

To demonstrate our methodology, we use an example 
concerning two existing conversational services available on 
the Internet. These two services reaUze two lyric search 
engines. One is called ChartLyrics^ the other LyncMA;/ 

^http://www.chartlyrics.com/api.aspx 
^http://lyrics. wifkia.com/Main_Page 
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sA(10):0 

cSE(l;0):2;4 cSE(l;0):2;4 




sS(l;0):2;4 sS(0;l):l;0 
cSE(l;0):2;4 

Figure 3. A subset of beiiavior protocol automaton of LyricWiki. 
Operations: searcliSongs (sS), checkSongExists (cSE), searchArtists (sA), 
getArtist (gA), getSong (gS). Parameters: artist (0), song (1), lyricsid (2), 
item (3), lyricCheckSum (4), SongUrl (5), year (6), album (7), LyricCor- 
rectUrl (8), Lyrics (9), lyricText (10). 

ChartLyrics is a lyrics database sorted by artists or songs. 
The WSDL |^ of ChartLyrics provides three operations: (i) 
SearchLyric to search available lyrics, (ii) SearchLyricText 
to search a song by means of some text within an available 
lyric text, and (iii) GetLyric to retrieve the searched lyric. 

LyricWiki is a free site where anyone can go to get 
reliable lyrics for any song from any artist. The WSDL 
of LyricWiki |^ provides several operations. Five of them 
are of interest for our purposes: (i) searchSongs to search 
for a possible song on LyricWiki and get up to ten close 
matches, (ii) checkSongExists to check if a song exists in 
the LyricWiki database, (iii) getSong to get the lyrics for 
a searched LyricWiki song with the exact artist and song 
match, (iv) searchArtists to search for a possible artist by 
name and return up to ten close matches, and (v) getArtist 
to get the entire discography for a searched artist. To get a 
lyric through ChartLyrics, a client can exploit the following 
sequence of operation invocations: SearchLyric, GetLyric. 
Conversely, to get a lyric through LyricWiki, a possible 
sequence of operation invocations is the following: check- 
SongExists, searchSongs, getSong (see the representation of 
the conversational protocols of ChartLyrics and LyricWiki, 
respectively, in Fig. [T] and Fig. [3]|. 

If LyricWiki were part of a web application realized 
through a service composition, it could happen that, in 
certain circumstances, it would need to be replaced by 
ChartLyrics or by any other specialized search engine. This 
could happen, for instance, to accommodate the preferences 
of users having their preferred engine, or to handle the 
cases when LyricWiki is unavailable for any reason. The 
developer could code, by hand, the instructions to deal 
with any possible engine and its replacement. However, 
this approach does not allow the application to deal with 
search engines unknown at design time. A better solution, 

'*http://api. chartlyrics.com/apivl.asmx7WSDL 
'http://lyrics.wikia.com/serverphp7wsdl 



which would overcome this problem, is to build a map- 
ping mechanism that dynamically handles the mismatches 
by automatically synthesizing a behavior protocol mapping 
script. The adaptation realized by the synthesized mapping 
script could state, e.g., that the sequence of LyricWiki oper- 
ations checkSongExists, searchSongs, getSong maps to the 
sequence of ChartLyrics operations SearchLyric, GetLyric. 

Let us consider as an example the expected service 
operation sequence checkSongExists, searchSongs, getSong, 
which brings the Lyrics Wiki behavior protocol automaton 
from state start to state sg (see Fig. [3]). We assume to 
have established a compatibility relation between services' 
data. Also, for the sake of brevity, the automata of Fig. [T| 
and [3] are represented with this relation already established, 
though in practice this requires an additional mapping step 
(for more details see |l6l, H). Finally, we establish a state 
compatibility relation. This defines that state sg of the 
expected service is compatible with state end of the actual 
service, which means that if the expected service reaches 
state Sg, then the actual service should reach state end. The 
example expected operations sequence starts from the start 
state and leads the behavior protocol model into state sg. 

The automata describing service protocols, the state 
compatibility relation and the expeced service op- 
eration sequence are all formalized through suitable 
CLTLB(DL) formulae expectedService, actualService 
and expectedOperationSequence. Then, we formulate the 
problem of checking if the expected service can be substi- 
tuted by the actual service in terms of a bounded reacha- 
bility problem over the automata describing the protocols 
of the expected and actual services. The problem consists 
in searching for a finite operation sequence on the ac- 
tual service automaton which starts (resp. ends) in a state 
compatible with the start (resp. end) state of the expected 
service operation sequence. Moreover, the actual service 
operation sequence should require no more input parameters 
than those provided to the expected service sequence, and 
it should provide at least the same parameters provided 
by the expected service sequence. To ensure this property 
we keep track, through instances of counters seen and 
needed (see Section of how many parameters of any 
given kind are provided as input to the expected service 
operations and of how many parameters of any given kind 
are returned by each actual service operation (this is for- 
malized through suitable CLTLB(DL) formulae seen ad 
needed). Finally, a solution for the bounded reachability 
problem can be obtained by checking the satisfiability of 
CLTLB(DL) formula expectedService A actualService A 
expectedOperationSequence A seen A needed. 

Considering the example sequence on LyricsWiki, a client 
expecting to invoke this sequence is assuming to provide as 
input to the first operation of the sequence a song and an 
artist. This will set the seen counter to 1 for both provided 
inputs. Moreover, it expects the invoked operation to return 
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a lyricsid and a lyricCheckSum, which will increment the 
corresponding instances of the needed counter to 1. Consid- 
ering the actual service protocol, our approach searches for 
an operation accepting a subset of the provided input data 
and providing a superset of the required return data. 

The operation to be selected should leave the start state 
as the state compatibility relation provided as input for 
the approach mandates the compatibility of state start of 
LyricsWiki with state start of ChartLyrics. In our example 
the invocation of checkSongExists makes SearchLyric the 
only suitable candidate. After the invocation of this actual 
service operation all instances of seen and those instances of 
needed associated to theoutput parameters of checkSongEx- 
ists are reset to 0. The actual service operation returns 
also some extra data that are not required by the invoked 
expected service operation (i.e. song, artist, songRank, artis- 
tUrl, songUrl). In this case the reasoning mechanism offers 
two possible choices: extra data can be discarded (hence 
ignored also in the future), or they can be initially ignored, 
but stored for an eventual later use. The former strategy 
is more conservative, but it may also limit the possibility 
of the reasoning mechanism to find an adapter The latter 
strategy may affect data consistency in some cases, as it 
allows using as a reply for an operation some data that have 
been received before the request has been actually issued, but 
it also opens the possibility of finding adapters in situations 
in which the former would fail. In this case study we use 
the latter strategy, hence the needed counters for those data 
that are not required as a response by the invoked expected 
service operation are set to —1. 

After the invocation of SearchLyric the actual service 
goes in SearchLyric _start state. The next operation on the 
expected sequence to be invoked is searchSongs, which 
requires as input the names of the song to be searched and of 
its author and provides as return parameters the names of the 
artist and of the song, if they are found. Since the needed 
counters for both the name of the artist and of the song 
are set to —1, instances of those data have been previously 
stored, hence no operation shall be invoked on the actual 
service, which remains in state SearchLyric _start. 

The last operation in the expected sequence is getSong, 
which requires as input artist and song names and the id 
and checksum returned by the previously invoked check- 
SongExists. The expected service has again the same three 
operations of the previous step available, but this time there 
are two available candidates for selection: searchSongs and 
GetLyric. In this situation the latter is selected, because 
of the state compatibility relation provided as input to 
the adapter search phase. Given the data-flow constraints 
elicited before, GetLyric is the only available operation that 
can satisfy also the state compatibility relation. After the 
invocation of GetLyric the expected and actual services are 
in compatible states and the needed counter instances are all 
set to 0. Then, the actual service operation sequence found 



can be substituted to the expected service sequence. 

A mapping script generated for the example sequence in 
this section is reported in Table [l] Each step contains the 
state in which each one of the analyzed automata is, the 
operations in seqexp and in seqact that should be invoked in 
that step, and the exchanged data, if any. For each operation 
in seqexp the adapter expects to receive an invocation for the 
expected service, and for each operation in seqact the adapter 
performs an invocation to the actual service. The table shows 
also the updates for the seen and needed counters. 

VI. Evaluation and Experimental Results 

In order to evaluate the encoding presented in this paper 
we built a plug-in of Zot and we used it in three sets 
of experimental (i) We created adapters for sequences of 
increasing length related to the case study presented in 
Section [V] This set of experiments was used as a qualitative 
evaluation of the approach on examples taken from the real 
world, (ii) We ran the same set of experiments on Zot 
using three different encodings, namely the traditional SAT- 
based encoding (PLTL/SAT), the new SMT-based one of 
the same logic (PLTL/SMT), and the SMT-based of logic 
CLTLB(DL) introduced in this paper. We measured elapsed 
time and occupied memory, and we compared the results 
to get an estimate of how the introduction of the SMT- 
solver speeds up the adapter-building mechanism, (iii) We 
created some service interface models with growing number 
of parameters and tried to solve them with both the original 
version of the encoding and with the extensions. This set 
of experiments has the purpose to compare how much the 
new encoding scales on models larger than those found in 
common practice. 

All experiments were run using the Common Lisp com- 
piler SBCL 1.0.29.11 on a 2.50GHz Core2 Duo laptop with 
Linux and 4 GB RAM. We chose to use two different SMT- 
solvers in our tests: Microsoft Zf] and SRI Yice^ For the 
SAT-based PLTL encoding we used MiniSaj^ 

The first set of experiments was carried out selecting 
some operation sequences on the expected service presented 
in Section |V] The selected sequences set comprises the 
simple sequence analyzed in the case study plus sequences 
of growing length obtained trying to execute up to 5 con- 
secutive searchSongs and checkSongExists opera- 
tions. We set the time bounds for the experiments using 
a simple heuristic, based on the sum of the states of the 
automata of the input services. In those cases in which the 
abstract sequence featured repeated invocations of the same 
operation, the time bound was augmented with the number 
of repetitions of each operation. This set of experiments 

*The experiments sets are available at 
http://home.dei.polimi.it/cavallaro/sefmlO-experiments.html 

'Z3: http://research.microsoft.com/en-us/um/redmond/projects/z3/ 
^Yices: http://yices.csl.sri.com/ 
'MiniSat: http://minisat.se/ 
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Step 


Execution trace Content 


Counters value 


1 


LyricWikiState-.start ; Lvr/cW/^ /Operation xheckSongExists 
Ljn'cWifT: /Input: song, artist; Lyr/cW/^:/Output:lyricId. lyricCheckSum 
c/iflrfLvnciStateistart; Ljnc W/A:/Operation:checkSongExists 


All counters set to 


2 


Ljn'c W/'/:/State: s i 
chartLyricslnpuV. song, artist 

c/iflr/Lvn'c50utput:song , artist, aitistUrl, songRank, lyricsld. lyricChecksum 
chartLyricsState : start; c/iflr?Lyr/cjOperation : searchLy ric 


seen{song) = seen(artist) = 1 

needed(lyricld) = needed(lyricCheckSum) = 1 


3 


LyricWikiState:si; LvncMfe/OperationisearchSongs 
Ljn'cWifl/Inputisong, artist; LynVWi'^/Outputisong, artist 
c/iflr/Lv/'/c5State:searchLyric_start 


seen(song) = seen(artist) = 
needed(lyricsld) = needed(lyricCheckSum) = 
needed(artist) = needed(artistUrl) = -1 
needed(song) = needed(songRank)= -1 


4 


LyricWikiStatG'.s^ 
c/iflr/Lv/'/c5State:searchLyric_start 
c/i«r/Lv /■/ cooperation: None 


seen(song) = seen(artist) = 1 
needed(song) = needed(artist) = 


5 


LyricWikiStaiQ-.s^; L\T/cVy//:/Operation: getSong 
LvT/cW/A:/Input: lyricid, song, lyricCheckSum, artist 
Ljn'cW/'/:/Output:song, artist, lyricCorrectUrl, Lyric 
c/iflrtLvn'c5State:seai"chLyric_start 


No Changes 


6 


LyricWikiState:sQ 

chartLyricslnpuV. lyricid, lyricCheckSum 

c/iflrtLvr/ciOutput: song , artist, artistUrl, lyricRank, Lyric, lyricCorrectUrl, lyric Co verArtUrl 
c/iflr/Lv/'/c5State:searchLyric_start c/Mr/Lvr/cvOperationigetLyric 


seen{song) = seen(artist) = 2 
seen{lyricCheckSum) = seen(lyricld) = 1 
needed(song) = needed( artist) = 1 
needed(lyricCon"ectUrl) = needed(Lyric) = 1 


7 


LyricWikiState:s(i 
L3?r/cW/'/: /Operation: None 
chartLyricsState:end 
c/iflr/Lv/7 cooperation: None 


seen(lyricCheckSum) = seen(lyricld) = 
needed(song) = needed{ artist) = 
needed(lyricCorrectUrl) = needed(Lyric) = 
needed(artistUrl) = needed{lyricRank) = -1 



Table I 

Mapping script generated for the example in this section 



produced a set of mapping scripts that we checked by 



inspection. Fig. 4(a) and Fig. 4(b) report the overall results 



Fig. 4(b) shows that the CLTLB(DL) encoding has lower 



memory occupation than the SAT-based PLTL encoding for 



the same problem. Fig. 4(a) shows that the CLTLB(DL) 
encoding on Z3 performs much better than the others. 

Lastly, we tried to push the limits of our technique to 
check its robustness. To do so, we generated simple service 
protocols featuring operations with a growing number of 
parameters. We chose this setting for our experiments based 
on our experience in the common practice, which suggests 
that services usually exhibit very simple protocols, while 
operations have sometimes a considerable number of pa- 
rameters. Note that the models used in these experiments 
are much bigger than those commonly found in practice. 
The experiments are based on expected and actual services 
with 10 states, and a trace bound of 21 time instants. The 
results are shown in Fig. |4(c)| and in Fig. |4(d)| The number 
of parameters used in experiments ranges from 10 (i.e. each 
operation has 10 input and 10 output parameters) to 90. 
As shown in the figures, the CLTLB(DL) encoding on Z3 
was the only one we managed to push up to 90 parameters, 
while we stopped experimenting much earlier with the PLTL 



encoding on Yices, Z3 and MiniSat. Note that in Fig. 4(c) 



4(d) the combination CLTLB(DL)A'ices is missing because 



of its poor performance on this set of experiments (the 
simplest case was solved in more than 500 seconds). 

VII. Related Work 

Our approach is closely related both to works supporting 
substitution of services and to works about verification 
using model checking. Many approaches that support the 



automatic generation of adapters (or equivalent mechanisms) 
are based on the use of ontologies and focus on non- 
conversational services (see for instance (6], (13]). They all 
assume that the usual WSDL definition of a service interface 
is enriched with some kinds of ontological annotations. At 
run-time, when a service bound to a composition needs to be 
substituted, a software agent generates a mapping by parsing 
such ontological annotations. SCIROCO llT4l offers similar 
features but focuses on stateful services. It requires all ser- 
vices to be annotated with both a SAWSDL description and 
a WSResourceProperties ifTSi document, which represents 
the state of the service. When an invoked service becomes 
unavailable, SCIROCO exploits the SAWSDL annotations to 
find a set of candidates that expose a semantically matching 
interface. Then, the WS-ResourceProperties document as- 
sociated to each candidate service is analyzed to find out 
if it is possible to bring the candidate in a state that is 
compatible with the state of the unavailable service. If this 
is possible, then this service is selected for replacement of 
the one that is unavailable. All these three approaches offer 
full run-time automation for service substitution, but as the 
services they consider are not conversational, they perform 
the mapping on a per-operation basis. An approach that 
generates adapters covering the case of interaction protocols 
mismatches is presented in lfT6l . It assumes to start from 
a service composition and a service behavioral description 
both written in the BPEL language ifTTl . These are then 
translated in the YAWL formal language ifTSll and matched in 
order to identify an invocation trace in the service behavioral 
description that matches the one expected by the service 
composition. The matching algorithm is based on graph 
exploration and considers both control flow and data flow 
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Figure 4. Experimental Results 



requirements. The approach presented in ||T9l offers similar 
features and has been implemented in an open source too(^ 
While both these approaches appear to fulfill our need for 
supporting interaction protocol mapping, they present some 
shortcoming in terms of performances, as shown in 

Although QF-UFIDL involves variables over infinite do- 
main, our particular BMC of CLTLB(DL) formulae became 
effective because it is not used as an infinite-state model 
checking procedure. In general, transitions systems defined 
by arithmetic constraints provide a large class of infinite- 
state systems which are suitable for modeling a large variety 
of applications. So, intensive work has been devoted to 
identify useful classes with decidable reachability and safety 
properties EOl . ||2TI . Some implemented procedures ll22l . 

rely on a pure operational approach and the complexity 
of the decision problem of the underlying arithmetic (3- 
EXPTIME in the case of Presburger Logic) do not make 

'"The Dinapter tool: http;//sourceforge.net/projects/dinapter 



them appropriate for runtime checking. Much effort is also 
devoted to study decidabilty and complexity of temporal 
logic of arithmetic constraints, |24), |25l, f?!, fSl. |26l 
proposes a semi-decision procedure aimed to be used for 
model checking of an extension of CTL* with Presburger 
constraints. Finally, an operational approach to BMC which 
exploits a direct translation of LTL formulae of arithmetic 
constraints is suggested in ll27l . Our approach offers a mixed 
operational-descriptive BMC based on the satisfiability of 
CLTLB(DL) formulae which enjoys the NP-completeness 
of the decision problem of DL, significantly less than that 
of more complex theories. 

VIII. Conclusion 

In this paper we introduced an efficient encoding for a 
linear temporal logic with arithmetic constraints. Our encod- 
ing was found very suitable for application to a real problem 
taken from the SOA domain and showed better performances 
and lower memory occupation than the other encodings 
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we compared it with. The research work is currently still 
ongoing. For future work we plan to further experiment with 
our encoding and to investigate its theoretical properties. 
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